UK organisations unprepared for EU data breach disclosure law

Some 87% of UK businesses admit they would be unable to identify individuals affected by a data
breach within the EU’s proposed 24 hour timeframe.

A further 13% said it would take them between a week and one month to pinpoint which customer
data was affected, and 6% did not believe they would ever be able to accurately obtain this
information, according to research by security management firm LogRhythm.

Most UK businesses do not believe they have the capability to comply with the proposed EU data
protection regulations, said Ross Brewer, vice-president and managing director for international
markets at LogRhythm.

"Traditional security has focused on the perimeter defences, not analysis, so most firms are
woefully unprepared for the new EU data protection regulation," Brewer told Computer Weekly.

However, he said organisations should already have a high level of visibility of data on their
networks to comply properly with the existing UK Data Protection Act.

When asked about their ability to produce accurate breach notifications, 72% of respondents said
the implementation of a 24-hour notice period would put their organisations at risk of
over-disclosure.

Brewer said over-disclosure happens when organisations are forced to reveal more information
than is necessary, for example notifying every individual who might have been affected by a breach,
rather than just those who definitely were.

“Over-disclosure is an issue that has been causing concern in locations such as the US, that
already have breach notification laws in place,” Brewer said.

The issuing of blanket breach notifications will inevitably have negative repercussions for the
affected organisation, he said. For example, the severity of an incident may be overstated, leading
to a loss of confidence among existing and potential customers.

"In addition, the cost of informing an individual their data may have been stolen is just as
high as telling them it definitely has and is often an unnecessary expense," said Brewer.

The LogRhythm research provided an insight into the motivations driving the decisions behind IT
security strategy. Despite an escalation in the cyber threat in recent years, 52% of respondents
reported that the proportion of IT budget spent on security had not gone up in the past five
years.

In addition, 77% said the implementation of data breach penalties – such as the EU’s proposed 2%
of an organisation’s global turnover – would motivate them to increase spending on IT security.

The proposed level of fines shows how seriously the EU is taking data protection and should help
focus the minds of business leaders on improving the way their organisations handle personal data,
said Brewer.

The study provided further evidence of the lack of network visibility that seems to be common
amongst organisations today. When asked if their company had ever experienced a security breach
incident, 27% said they did not know.

In addition, 47% of respondents admitted that data is analysed only after a security event has
occurred, rather than on a proactive basis.

While the research indicates that security spending is not going up, it does show organisations
are beginning to realise how effective modern cyber threats are at achieving their goals, with 28%
of respondents saying it is doubtful that breaches can be prevented; and 18% saying breaches are
now inevitable, regardless of the security measures in place.

“It is worrying that so many organisations’ IT security decisions seem to be motivated by
non-compliance and the threat of financial penalties, rather than a desire to employ a
best-practice approach," said Brewer.

He said these attitudes appear to stem from the top, as 50% of respondents stated that new
regulations are one of the main ways of engaging senior level staff with the IT security
decision-making process.

“It was also a surprise to find that almost half of respondents are still employing a post-event
analysis approach, when the general feeling is that traditional security solutions are no longer
able to prevent breaches," said Brewer.

Clearly a best-practice approach would be to employ continuous collection and analysis of all
log data generated by the IT estate, he said. Brewer believes this would provide the traceability
required to detect any early indication of an impending attack.

"Effective remediation of threats, and limitation of the damage they can cause, depends on
organisations having this ability to combat them in the early stages, something only proactive
protective monitoring can provide," he said.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

It can be tempting to stray from the security roadmap security professionals have put in place when data breaches like the Sony and Anthem breaches are all over the news. But experts say it's crucial to stick to the security basics.

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.